From ae6242bdede070e72384a0d7da2a1f6a6505db57 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 20 Aug 2025 16:01:10 +0000 Subject: [PATCH] remove OCSP, #1576 --- user.js | 31 ++++++------------------------- 1 file changed, 6 insertions(+), 25 deletions(-) diff --git a/user.js b/user.js index 613ba3b..5235b03 100644 --- a/user.js +++ b/user.js @@ -401,29 +401,6 @@ user_pref("security.ssl.require_safe_negotiation", true); * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ user_pref("security.tls.enable_0rtt_data", false); -/** OCSP (Online Certificate Status Protocol) - [1] https://scotthelme.co.uk/revocation-is-broken/ - [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ -***/ -/* 1211: enforce OCSP fetching to confirm current validity of certificates - * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only - * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) - * It's a trade-off between security (checking) and privacy (leaking info to the CA) - * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling - * [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers... - * [1] https://en.wikipedia.org/wiki/Ocsp ***/ -user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1] -/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail - * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR | SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST - * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) - * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) - * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it - * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers) - * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ - * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html - * [3] https://letsencrypt.org/2024/12/05/ending-ocsp/ ***/ -user_pref("security.OCSP.require", true); - /** CERTS / HPKP (HTTP Public Key Pinning) ***/ /* 1223: enable strict PKP (Public Key Pinning) * 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict @@ -435,9 +412,10 @@ user_pref("security.cert_pinning.enforcement_level", 2); * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (default) * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071 - * [2] https://blog.mozilla.org/security/tag/crlite/ ***/ + * [2] https://blog.mozilla.org/security/tag/crlite/ + * [3] https://hacks.mozilla.org/2025/08/crlite-fast-private-and-comprehensive-certificate-revocation-checking-in-firefox/ ***/ user_pref("security.remote_settings.crlite_filters.enabled", true); // [DEFAULT: true FF137+] -user_pref("security.pki.crlite_mode", 2); +user_pref("security.pki.crlite_mode", 2); // [DEFAULT: 2 FF142+] /** MIXED CONTENT ***/ /* 1241: disable insecure passive content (such as images) on https pages ***/ @@ -1052,6 +1030,9 @@ user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true] // user_pref("privacy.cpd.history", ""); // user_pref("privacy.cpd.offlineApps", ""); // user_pref("privacy.cpd.sessions", ""); +/* 6051: prefsCleaner: reset previously active items removed from arkenfox FF140+ ***/ + // user_pref("security.OCSP.enabled", ""); + // user_pref("security.OCSP.require", ""); /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!");